One thing became crystal clear during this week’s hearings involving the leaders of information brokers ChoicePoint and LexisNexis (among others) by a House Energy and Commerce subcommittee and the Senate Banking Committee (here and here): namely, the intent of policymakers to take action toward regulating the information brokerage industry. Indeed, the question now is less about whether Congress will decide to regulate this industry and more about the nature and scope of such regulation.
On the House side, full Energy and Commerce Committee Chairman Joe Barton (R-TX) (as reported by the Washington Post) went so far as to call the routine sale of consumers’ Social Security numbers without their knowledge or persmission “just wrong,” while Banking Committee Chairman Richard Shelby (R-AL) likened the data collections managed by data brokers to a “treasure trove” of personal financial information. Other highlights from the hearings included the testimony from Federal Trade Commission (FTC) chair Deborah Platt Majoras, ChoicePoint CEO Derek Smith, LexisNexis CEO Kurt Sanford, and EPIC director (and USACM member) Marc Rotenberg.
As a result of recent revelations of unauthorized personal information disclosures, hacking, and fraud at companies like ChoicePoint, LexisNexis, and Bank of America, information brokers and others who handle sensitive personal information find themselves on the defensive like never before. It is apparent that many in the U.S. — policymakers included — were previously unaware of (1) the kinds and volume of personal information handled and sold by brokers, (2) the fact that such information is regularly bought and sold, (3) the seeming ease with which such information can be obtained, and (4) the fact that information brokers operate largely free of the kinds of government regulations that cover other arguably similar companies.
Policymakers mentioned or hinted at several policy responses. Full Energy and Commerce Committee chairman Barton alluded to legislation that might arise later this Spring once committee members have digested this hearing and assimilated other points of view. Specifically, Barton hinted at legislation that would prohibit the unauthorized sale of Social Security numbers. Meanwhile, Subcommittee on Commerce, Trade, and Consumer Protection Chairman Cliff Stearns (R-FL) has already introduced new legislation, the “Consumer Privacy Protection Act of 2005” (H.R. 1263), that contains provisions relating to giving consumers notice of data collection and use, preventing and recovering from identity theft, and assessing how international laws and regulations bear on these issues. Given Stearns’ leadership position, his bill seems to be a likely vehicle for regulating data brokers. In addition, Senator Diane Feinstein (D-CA) earlier this year introduced legislation (S. 115) that would create a federal law similar to the California law that helped bring the ChoicePoint data breaches to light.
One response that met with a good deal of agreement among the hearing’s panelists (although also an area of concern for a number of privacy advocates) was the notion of making information brokers subject to the same guidelines regarding the handling of personal information as the financial services industry. For example data brokers could be brought explicitly under the jurisdiction of existing laws such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and so on. Meanwhile, companion bills introduced by Congressmen Markey (in the House) and Nelson (in the Senate) would bring information brokers under the official aegis of the FTC by requiring the commission to create new regulations with respect to the conduct of information brokers and the protection of personally identifiable information that they hold.